The Department of Justice recently recovered more than half of the ransom Colonial Pipeline paid to hackers after shutting down its East Coast pipeline for six days. Still, other corporate ransomware victims should not count on getting similar assistance.
The DOJ announced on June 7 that it recovered $2.3 million worth of the $4.4 million in bitcoin paid by Colonial Pipeline. It isn't the first time U.S. law enforcement agencies have recovered ransom money paid. But recovery is "not proven as a systemic, repeatable answer at scale," said Bryson Bort, CEO of Scythe, a vendor of a cybersecurity adversary emulation platform.
In this case, the DOJ's actions were encouraging, added Keatron Evans, a principal security researcher at Infosec Institute, a cybersecurity training provider. "But it should be pointed out that this result is not typical and probably won't be," he added. "How many resources did the FBI have to put on this to do what was done? The answer is likely many."
The potential downside is that other attacked organizations may expect the same results, Evans added. "My fear is that every organization will think this will be their outcome, so organizations that would normally hold off on paying the ransom might now pay it quickly, hoping the FBI will come in and get their money back," he told the Washington Examiner. "I don't think that is a realistic expectation in most cases, especially for the smaller ransom demands."
The DOJ and FBI have provided few details about how they recovered the 63.7 bitcoins paid to DarkSide, an Eastern European hacking group that the DOJ described as a ransomware-as-a-service provider.
The FBI was able to trace the bitcoin-based payments by monitoring the Bitcoin public ledger, which is open to viewing by the general public. Agents were able to track multiple bitcoin transfers and identify that approximately 63.7 bitcoins had been transferred to a specific virtual wallet. The FBI had the "private key," a type of password needed to access the bitcoins.
The DOJ did not disclose how the FBI gained access to the private key to access the virtual wallet.
Some cybersecurity experts suggested law enforcement may have gained access to the public key with hacking efforts, and this announcement may mean a new era of law enforcement hacking campaigns. Others suggested the virtual wallet may have been seized ahead of time in an investigation.
"Bitcoin does not have a central bank or registry that can be approached by the DOJ," said Aviram Jenik, CEO at Beyond Security, a cybersecurity vendor. "This means the bitcoin recovery is a euphemism for breaking into the target's computer and taking over their bitcoin wallet."
The DOJ efforts also show that cryptocurrency may not be as secure as advertised, Jenik told the Washington Examiner. "It shows that one of bitcoin's basic premises, that it is a currency that is outside the reach of the government, is probably incorrect," he said. "If the U.S. government can do it, the Chinese government can probably do it, too, and soon, every other government will learn how to do it. Bitcoin wallets are going to be just like safety deposit boxes — something that may be out of sight but not out of reach."
The DOJ intended to disrupt the profit motives of the ransomware hackers, Lisa Monaco, the DOJ's deputy attorney general, said during a press conference.
Ransomware is a national and economic security threat to the United States, she said, and law enforcement agencies will use "all the tools at our disposal" to disrupt ransomware networks. "Ransomware attacks are always unacceptable," she added. "But when they target critical infrastructure, we will spare no effort in our response."
Several cybersecurity experts praised the DOJ for putting ransomware hackers on notice that the fight against them is escalating.
"It's clear the government is attempting to address the rapidly growing ransomware issue from all angles," said Brian Pawlowski, senior vice president and chief development officer at Quantum, a ransomware protection vendor. "This offensive strategy represents a new tactic to combat ransomware."
The hunter is becoming the hunted, Pawlowski told the Washington Examiner. "Just like criminals have access to the latest technology to access a network and leave no trace, IT security managers do as well," he said. "We recommend they not only leverage the available tools to combat ransomware or other malware but master them."
Washington Examiner Videos
Original Author: Grant Gross